summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2015-01-16 14:34:52 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2015-01-16 14:34:52 +0000
commitd3d7dfebd243c5ecf7915e85f0c4e6dcedd62efe (patch)
treeb01ef93403a05ce28e23228b1ccb0cfd1fed5b00 /usr.sbin
parent40ca7cdc4f74b7b2bc982a71e965c441e1b44c24 (diff)
The SSL/TLS session Id context is limited to 32 bytes. Instead of
using the name of relayd relay or smtpd pki, use a 32 byte arc4random buffer that should be unique for the context. This fixes an issue in OpenSMTPD when a long pki name could break the configuration. OK gilles@ benno@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/relayd/relay.c13
-rw-r--r--usr.sbin/smtpd/ssl.c13
2 files changed, 18 insertions, 8 deletions
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index bb0651948c4..894c26dc06a 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.184 2014/12/21 00:54:49 guenther Exp $ */
+/* $OpenBSD: relay.c,v 1.185 2015/01/16 14:34:51 reyk Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -1986,6 +1986,7 @@ relay_tls_ctx_create(struct relay *rlay)
struct protocol *proto = rlay->rl_proto;
SSL_CTX *ctx;
EC_KEY *ecdhkey;
+ u_int8_t sid[SSL_MAX_SID_CTX_LENGTH];
ctx = SSL_CTX_new(SSLv23_method());
if (ctx == NULL)
@@ -2081,9 +2082,13 @@ relay_tls_ctx_create(struct relay *rlay)
goto err;
}
- /* Set session context to the local relay name */
- if (!SSL_CTX_set_session_id_context(ctx, rlay->rl_conf.name,
- strlen(rlay->rl_conf.name)))
+ /*
+ * Set session ID context to a random value. We don't support
+ * persistent caching of sessions so it is OK to set a temporary
+ * session ID context that is valid during run time.
+ */
+ arc4random_buf(sid, sizeof(sid));
+ if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
goto err;
/* The text versions of the keys/certs are not needed anymore */
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index 981f2b0c21c..156bfec0654 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.c,v 1.72 2014/10/16 09:40:46 gilles Exp $ */
+/* $OpenBSD: ssl.c,v 1.73 2015/01/16 14:34:51 reyk Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -69,12 +69,17 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki)
{
DH *dh;
SSL_CTX *ctx;
+ u_int8_t sid[SSL_MAX_SID_CTX_LENGTH];
ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len);
- if (!SSL_CTX_set_session_id_context(ctx,
- (const unsigned char *)pki->pki_name,
- strlen(pki->pki_name) + 1))
+ /*
+ * Set session ID context to a random value. We don't support
+ * persistent caching of sessions so it is OK to set a temporary
+ * session ID context that is valid during run time.
+ */
+ arc4random_buf(sid, sizeof(sid));
+ if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
goto err;
if (pki->pki_dhparams_len == 0)